$2.3 Million of Colonial Pipeline Ransom Payment RecoveredJustice Department Tracked the Payment to an FBI-Controlled Bitcoin Wallet
The U.S. Justice Department on Monday reported it recouped $2.3 million of the $4.4 million ransom Colonial Pipeline Co. paid following a May 7 DarkSide ransomware attack.
The DOJ's Ransomware and Digital Extortion Task Force coordinated the effort, in which the FBI tracked part of the payment to a bitcoin wallet it controls, enabling law enforcement officials to recover the money.
"By reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim's ransom payment, had been transferred to a specific address, for which the FBI has the 'private key,'" said Justice Department Deputy Attorney General Lisa Monaco in a Monday press conference.
Monaco and FBI Deputy Director Paul Abbate said Colonial Pipeline's early notification to law enforcement officials that it had been victimized by a ransomware attack and had paid the ransom enabled the recovery effort.
"When Colonial was attacked on May 7, we quietly and quickly contacted the local FBI field offices in Atlanta and San Francisco, and prosecutors in Northern California and Washington D.C. to share with them what we knew at that time. The Department of Justice and FBI were instrumental in helping us to understand the threat actor and their tactics," says Colonial Pipeline CEO Joseph Blount.
Blount acknowledged on May 19 that he had authorized the payment of a $4.4 million ransom just hours after the company was hit on May 7 by a DarkSide ransomware attack. Blount is scheduled to answer questions about the attack to the Senate Committee On Homeland Security and Governmental Affairs on Tuesday and then before House Homeland Security Committee on Wednesday.
"Today we deprived a cybercriminal enterprise of the object of their activity, their financial proceeds and funding. For financially motivated cybercriminals, especially those presumably located overseas, cutting off their access to revenue is one of the most impactful consequences we can pose," Abbate said.
The attack caused Colonial Pipeline to temporarily shut down its pipeline operation, crippling the distribution of gasoline and other fuel supplies along the East Coast through the company's 5,500 miles of pipeline and leaving gas stations in several states dry as panicky motorists filled up their cars.
The Justice Department's Ransomware and Digital Extortion Task Force was created in April to target the "ransomware criminal ecosystem as a whole," which means prosecuting those behind the attacks as well as those who launder money that's extorted.
The new task force's goals also include devising ways to increase training and resources to address ransomware attack risks; boost intelligence gathering; leverage investigative leads, including connections between cybercriminal gangs and nation-state groups; and improve coordination across the Justice Department.
The FBI's Evidence
In the June 7 affidavit filed with the U.S. District Court, Northern District of California in support of the seizure, the FBI notes that it was advised by Colonial Pipeline, which is identified as Victim X in the document, that on May 8 it had been hit with a ransomware attack by a group known as DarkSide. Colonial Pipeline employees saw a message on their screens saying a ransomware attack was taking place.
"A Tor website address was provided that claimed to have links to samples of the data that had been exfiltrated and a ransom was demanded of approximately 75 bitcoins," the affidavit says.
The 75 bitcoins were valued at about $4.3 million on May 8.
The attack directly impacted Colonial's ability to operate forcing it to take portions of its critical infrastructure offline, the document says.
After being advised of the attack, the FBI was able to see two bitcoin transactions on the bitcoin public ledger totaling 75 bitcoins going to two specific addresses, the agent conducting the investigation says in the affidavit. One payment was for 75.0005 bitcoin and the second 0.00001639.
Also, on May 8 the attacker consolidated the two payments with the larger 75.0005 bitcoin payment shifted to the same bitcoin address where the smaller payment was held, he says. Then on the same day the bitcoins were once again redistributed with just over 69 bitcoins being sent to a wallet controlled by the FBI. The FBI was able to identify 63 of these bitcoins coming from the Colonial payment, the agent says.
It's unclear how exactly the FBI was able obtain the private key for the address holding the funds.
The FBI appears to have recovered the portion of the ransomware that went to the DarkSide affiliate that launched the attack against Colonial, writes Tom Robinson, co-founder and chief scientist of Elliptic, which makes blockchain analytics software. In the Colonial attack, 85% of the bitcoin went to the affiliate with 15% going to the DarkSide group that developed the ransomware, he writes.
A bitcoin's value changes regularly, so even though most of the bitcoins involved in the ransom were recovered, their value had dropped to $2.3 million at the time of their seizure.
In addition to the FBI, the cryptocurrency tracking firm Elliptic was able to identify 47 bitcoin wallets that made ransom payments to DarkSide, including Colonial Pipeline.
Tom Robinson, Elliptic's co-founder and chief scientist, said in May that Elliptic, using proprietary blockchain analysis tools, tracked Colonial Pipeline paying DarkSide about $5 million in two separate payments to a wallet on May 8 and May 10.
Robinson said about 100 DarkSide attacks have been identified, so apparently almost 50% of the gang's attacks resulted in a ransom payment, with an average payment of $1.9 million, according to Elliptic's analysis.
DarkSide's moneymaking empire started off slowly but peaked in February when the group and its affiliates brought in just over $20 million, Elliptic says, based on its wallet research. Ransom payments totaled roughly $15 million in March, $8 million in April and $14 million in May, Elliptic reports.